tickets #163901: Elasticsearch AppArmor not enforced - openSUSE admin - openSUSE Project Management Tool

Actions

Copy link

tickets #163901

open

Elasticsearch AppArmor not enforced

Added by crameleon 13 days ago. Updated 13 days ago.

Status:

New

Priority:

Normal

Assignee:

Category:

Wiki

Target version:

Start date:

2024-07-14

Due date:

% Done:

Estimated time:

Description

water3 (en.o.o search backend):~ # aa-unconfined |grep java
2178 /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/bin/java (/usr/bin/java) confined by 'elasticsearch//null-/usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/bin/java (complain)'

water (en.o.o search backend):~ # aa-unconfined |grep java
2064 /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/bin/java (/usr/bin/java) not confined

Systemd hardening for the units is pretty much non-existent too.

Given the ancient version of Elasticsearch, and the service being exposed on the internet through the search feature on public wiki instances, I deem this concerning.